Risk management is a serious topic and one that all Non-Executives should be focused on. The absence of an effective risk management strategy can have catastrophic results for a brand’s reputation and a company’s bottom line. It’s important for board’s to have the right mindset towards risk management where getting a balance is key. Just like you don’t want a board with a reckless attitude towards risk, it’s important that they don’t become overly cautious to the point of becoming risk averse since both can lead to huge losses. Instead, risks need to be identified, monitored and managed at all levels.
Ultimately, it is the whole board’s responsibility to set the tone for the risk culture, issuing clear guidance on risk appetite and putting in place appropriate escalation processes. In the event of a problem, the buck will stop with all board members so it is never the sole responsibility of a single board member or any one board committee but a collective effort. Simon Laffin, an experienced chairman, non-executive director, mentor and author of ‘Behind Closed Doors: The Boardroom – how to get in, get on and make a difference’, agrees. “Risk isn’t something to delegate to the risk committee”, he says. “It’s not a report to fill out. You can’t talk about strategy on one hand and risk on the other, because they are exactly the same thing”.
In this blog we share some reflections from our NED Community meet-up on “how to make risk come alive”. Simon Laffin was our guest speaker and you can watch his talk below:
The Pitfalls of Risk Management
The role of the board isn’t to know all the answers but to ask the right questions. Here are some of the most common mistakes of risk management and what Non-Executives can do to avoid them.
Mistake #1 – Preparing for events that have only happened recently
“Uncommon events are far more common than you think”, reflects Laffin, and he’s right. You only need to look at the last three years which have seen Boards having to manage and mitigate a whole spectrum of unexpected events including the COVID-19 pandemic, Russia’s invasion of Ukraine, an energy crisis and the soaring cost of doing business.
Boards are having to adopt a much more structured and formal approach to ‘horizon scanning’ for potential future risks to their organisation by considering what is happening in the world and how that applies to the organisation. Resources like the World Economic Forum’s annual risk review highlight rapidly changing risks that the world is likely to face over the next 10 years and can assist board’s on what topics need to be on their radar and added to their risk system. Making that call isn’t always easy and requires a strong board with a diverse range of skills and experience to truly understand the implications of the risks being presented to them. Using methodologies and tools risk heat maps, SWOT analysis and PESTLE analysis can help board’s to comprehensively assess risks in a structured way.
Mistake #2 – Prioritising the most likely risk, not the most deadly
Just because a risk is more likely, doesn’t make it the most impactful. “Likely risks may have already happened so you probably have some measure of mitigation and tolerance,” says Laffin. “People tend to be dismissive of rarer but deadlier risks, because they haven’t yet happened or they happened a long time ago. But if they do, and you are ill-prepared, the results can be devastating,” he adds.
Having a risk register that includes risk appetite themes as the base framework of the organisation’s key areas, which is then broken down by individual risks will help in highlighting any hidden threats to the business. The risks should be scored separately (using a scoring criteria) in terms of the likelihood of them happening and the impact they would have on an organisation if they were to take place. It’s important that these scores are not grouped together as they are different in nature and wouldn’t have the same risk management approach.
For example, a risk could be labelled as ‘severe’ and highly likely to occur on a regular basis but only have a ‘minor’ impact on the business. It may well require immediate action but even if no action was taken then the business could easily withstand the effect of the risk materialising. On the other hand, you may have a risk that is unlikely to take place but if it does, it could potentially de-stabilise the business to its core. Having the risks presented in this way can give the Board a clearer understanding of the risk exposure, empowering them to make a more informed decision on how to prioritise each risk.
Mistake #3 – Focusing on the risks and not the consequences
Start by thinking about an event happening and work backwards. For example, the event may be the closure of your head office. Now consider it in the context of trying to avoid that from happening, instead of obsessing about how it might happen e.g. a pandemic or a terrorist threat. “People tend to become distracted by thinking through what might happen and pontificating, or assessing, often completely unknowable probabilities,” confirms Laffin.
“The traditional company way of thinking about risk is appalling,” says Laffin. There is often a tunnel vision focus on the risk itself and putting systems in place to prevent that risk from occurring. This is followed by a false sense of security that the processes to stop the risk are so robust that the event will never actually happen anyway. As a result of this, little to no planning goes into what would happen in the worst case scenario.
This is where the Avoid-Trap-Mitigate model for risk comes into play:
Avoid the risk altogether
This is what traditionally risk management calls mitigation. It means envisaging the event and then working out how you can put roadblocks in the way to try and stop it from happening. For example, in retail, the best way to handle theft as a risk is to deter it in the first place because that is much better than having to try and catch a thief afterwards.
Trap the risk early
People often forget that you can’t manage an event if you don’t know it’s happening. It’s important to make sure the right information systems are in place to track emerging events before they become a big problem. Equally it is essential to have people that can interpret this information and feed it through the chain of command in a timely manner.
Mitigate the consequence
This step is often dismissed because people assume that a risk will never materialise in the first place.
Whilst it’s essential to concentrate on actions that will reduce the possibility of the risk materialising in the first place, equal importance should be placed on thinking through how a breach would be identified and what would happen if the risk materialised its consequences.
For example, product contamination is a key risk in the food industry. A strong risk process may involve creating a dedicated committee as a first step. The aim of the committee would be to assess all of the potential areas of the production process that could lead to food contamination and then measures put in place to stop this from happening. It would then go one step further by planning how to identify if the preventive measures have failed and what would happen if a contaminated product was accidentally sent out to market resulting in members of the public having food poisoning.
A key event in contamination risk would be how to handle the media in this instance. What voices in the company would represent the organisation, are they strong and credible to speak on the issue and are they media trained? This would all need to be thought through in advance and included as part of the mitigation plans to reduce damage to the brand’s reputation.
The Board must take time to walk through every step of this model with the executive team and ensure that each stage has been mapped out carefully and that a clear mitigation plan is in place. When reviewing these mitigation plans as a Board Member, it is important to cut out the fluff. “Take every mitigation plan that you’ve got that uses the following words – manage, review, monitor, ensure, committee’ and throw them all out,” says Laffin. The information being presented should be clear, detailed and action-specific so that you aren’t left second guessing or making assumptions.
Keeping the risk agenda alive
Risk management is an evolving process and sits at the heart of governance in the boardroom. The Board must carefully consider risk in every decision it makes and regularly review the risk register, revisit the company’s appetite to risk, horizon scan for potential threats and assess the existing wider risk management framework to ensure that it is up-to-date and fit-for-purpose.
—
Join the discussion
Are you currently a Non-Executive Director and want to learn more about topics like this and meet with other like-minded NEDs? If so, join our free community! To become a more thoughtful and effective board member, register here.
View paid Non-Exec roles across the UK
If you are looking for your next board role, click here to sign up and view our roles. We list c.100 NED roles every month. It’s totally free to view our roles, and we provide blogs and YouTube videos to encourage and inspire Non-Executive Directors at every stage of their career.
Advertise your role with Dynamic Boards
If you or your board are recruiting for a NED or Chair, we can help you advertise your role to candidates who will bring the skills, experience and perspectives you need on your board. We have helped search firms and companies directly across all sectors advertise over 1000 Non-Exec board roles a year from across the UK. View more information on our advertising options here or alternatively you can get in touch with the Dynamic Boards team at hello@dynamicboards.co.uk
